CN112422567B - Network intrusion detection method oriented to large flow - Google Patents
Network intrusion detection method oriented to large flow Download PDFInfo
- Publication number
- CN112422567B CN112422567B CN202011296572.0A CN202011296572A CN112422567B CN 112422567 B CN112422567 B CN 112422567B CN 202011296572 A CN202011296572 A CN 202011296572A CN 112422567 B CN112422567 B CN 112422567B
- Authority
- CN
- China
- Prior art keywords
- flow
- protocol
- detection
- matching
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
Abstract
The invention discloses a network intrusion detection method facing large flow, in the aspect of protocol analysis, the invention detects IP, ports and messages of flow data packets respectively in different network structures of a network layer, a transmission layer and an application layer, accelerates the data processing flow, simplifies unnecessary data processing, optimizes the processing time and is suitable for large-flow network intrusion detection; in the aspect of feature matching, a protocol with definite partial feature information can be used for pertinence AC automata; if the protocol without specific feature information exists, feature matching of the traffic data payload is realized through a hyperscan feature library; different analysis methods are used for different protocols, matching hit is effectively accelerated, and resource loss is reduced.
Description
Technical Field
The invention relates to the technical field of network flow protocol analysis, in particular to a network intrusion detection method for high flow.
Background
With the acceleration of the global informatization pace, network security is becoming increasingly important. Under the current high-speed switching network environment, the network attack means is increasingly complex, and the intrusion detection security technology is concerned. Intrusion detection is performed by collecting and analyzing information from a number of key points in a computer network or computer system to discover if there is a security policy violation and evidence of an attack on the network or system.
From the viewpoint of data analysis means, intrusion detection can be generally classified into misuse intrusion detection and abnormal intrusion detection. The misuse intrusion detection technology is to find out possible attack feature sets by analyzing various attack means, and then utilize the feature sets or corresponding rule sets to carry out various processing on the current data source, and then carry out feature matching or rule matching work to judge whether attack behaviors occur.
DPI (Deep Packet Inspection) is a data Packet-based Deep Inspection technology, and by performing Inspection analysis on the flow and the message content at key points of a network and performing filtering control on Inspection flow according to a predefined strategy, functions of fine service identification, service flow direction analysis, service flow proportion statistics, service proportion shaping, application layer denial of service attack, filtering of viruses/trojans, control of abuse of P2P and the like of a link where the DPI is located are completed. Under the eye, different DPI technologies are emerging continuously, and OpenDPI is an open source at present. Throughout the OpenDPI detection process, the detection process is complicated, the processing process is repeated, the protocol characteristics cannot be processed, the processing capability on a large-flow application scene is poor, and the performance cannot reach the standard.
Disclosure of Invention
Aiming at the technical defect that the existing flow protocol analysis technology is not suitable for a large-flow application scene, the invention provides a large-flow-oriented network intrusion detection method.
A network intrusion detection method facing large flow comprises the following steps:
step 1, acquiring and shunting network flow;
step 2, carrying out IP detection of a network layer on the shunted flow, determining the flow of the protocol type of the shunted flow through the IP detection, and skipping to step 6;
step 3, carrying out port detection of a transmission layer on the shunted flow, determining the flow of the protocol type of the shunted flow through the port detection, and skipping to step 6;
step 4, carrying out message detection of an application layer on the shunted flow, determining the flow of the protocol type of the shunted flow through the message detection, and skipping to step 6;
step 5, aiming at the traffic of which the protocol type is not determined by IP detection, port detection and message detection, realizing the characteristic matching of the traffic payload by a hyperscan regular expression, and skipping to step 7;
step 6, extracting flow characteristic information according to the determined protocol type, and sending the extracted flow characteristic information into an AC automaton to complete matching;
and 7, intercepting the abnormal flow according to the matching result.
Further, in the IP detection in step 2, a BM algorithm matching library is established for the IP address and the communication protocol used by the service, and the matching library stores the corresponding relationship between the IP address and the communication protocol.
Further, the port detection in step 3 is directed to a port of a binding protocol.
Further, in the message detection in the step 4, the protocol hit by the protocol message format is analyzed according to the RFC document of the communication protocol, and then the protocol type is analyzed by combining the corresponding relationship between the request and the response message; preferably, the protocol hit in the protocol message format is analyzed according to the main characteristic points of the communication protocol.
The invention has the beneficial effects that: 1. in the aspect of protocol analysis, the invention detects IP, ports and messages of flow data packets in different network structures of a network layer, a transmission layer and an application layer respectively, accelerates the data processing flow, simplifies unnecessary data processing, optimizes the processing time and is suitable for large-flow network intrusion detection; 2. in the aspect of feature matching, a protocol with definite partial feature information can be used for pertinence AC automata; if the protocol without specific feature information exists, feature matching of the traffic data payload is realized through a hyperscan feature library; 3. different analysis methods are used for different protocols, so that matching hit is effectively accelerated, and resource loss is reduced.
Drawings
Fig. 1 is a flow chart of a network intrusion detection method.
Detailed Description
The invention is described in further detail below with reference to the drawings and the detailed description. The embodiments of the present invention have been presented for purposes of illustration and description, and are not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.
Example 1
A network intrusion detection method oriented to large traffic, as shown in fig. 1, includes the following steps:
1. and acquiring and shunting network flow.
2. And performing IP detection on the shunted flow, determining the flow of the protocol type through the IP detection, and skipping to the step 6.
The IP detection aims at the network layer of the data packet, the IP address of part of the Internet service is fixed, and the communication protocol adopted by the service is fixed, so that the corresponding relation between the IP address and the communication protocol is formed. And establishing a BM algorithm matching library through the IP address and a communication protocol adopted by the service, wherein the corresponding relation between the IP address and the communication protocol is stored in the matching library, partial flow can directly complete protocol analysis through IP detection, and the partial flow is processed by the flow distribution equipment to realize flow interception aiming at the IP.
3. And (6) carrying out port detection on the shunted flow, determining the flow of the protocol type of the shunted flow through the port detection, and skipping to the step 6.
Port detection for the transport layer of a packet, the port number of TCP/UDP is also bound to part of the protocol. Port detection can be performed by using array index mode, such as 80 ports of HTTP, 21 ports of ftp, 110 ports of pop3, and the like, because the number of port bytes needing to be processed is small and the number of ports of the currently known fixed protocol is not large. However, at present, ports of a plurality of protocols can be configured, port detection can only aim at ports of fixed protocols, and pressure of subsequent detection can also be reduced.
4. And (6) carrying out message detection on the flow after the flow is shunted, determining the flow of the protocol type through the message detection, and skipping to the step 6.
The message detection aims at the application layer of the data packet to realize the processing of the data packet effective load. And analyzing the protocol hit by the protocol message format according to the RFC document of the communication protocol, and then analyzing the protocol type by combining the corresponding relation of the request message and the response message. In order to save the matching consumption, the protocol hit by the protocol message format is analyzed according to the main characteristic points of the communication protocol.
More and more existing protocols are adopted, and many services also adopt customized communication protocols. In order to facilitate subsequent expansion, the protocol library in the message detection adopts the mode that the internal protocol can be increased or decreased through insertion and deletion.
5. And (4) aiming at the situation that the protocol type is not determined through IP detection, port detection and message detection, namely, part of the protocols have no definite characteristic information, realizing the characteristic matching of the flow payload through a hyperscan characteristic library, and skipping to the step 7.
6. And extracting the flow characteristic information according to the determined protocol type, and sending the extracted flow characteristic information to an AC automaton to complete matching.
The AC automata is a multi-mode matching algorithm, and mainly aims at feature information of common protocols, such as url of HTTP, sni of HTT PS, service domain name of SMTP, and the like. The information exists in a fixed position of a protocol data packet, can be analyzed according to a communication protocol, and is divided into multiple sections of characters through an AC matching algorithm to obtain a matching result.
7. And intercepting the abnormal traffic according to the matching result.
The invention detects IP, port and message of flow data packet in different network structure of network layer, transmission layer and application layer, accelerates data processing flow, simplifies unnecessary data processing, optimizes processing time, and is suitable for network intrusion detection with large flow. The three protocol analyses can be configured, and one or two matching can be independently realized.
The feature matching algorithm adopts the combination of an AC automaton and a hyperscan feature library. A protocol with definite part of characteristic information can be used in a targeted manner; and the protocol without specific feature information realizes the feature matching of the traffic data payload through a hyperscan feature library.
It is to be understood that the described embodiments are merely a few embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by one of ordinary skill in the art and related arts based on the embodiments of the present invention without any creative effort, shall fall within the protection scope of the present invention.
Claims (2)
1. A network intrusion detection method facing large flow is characterized by comprising the following steps:
step 1, acquiring and shunting network flow;
step 2, carrying out IP detection of a network layer on the shunted flow, establishing a BM algorithm matching library through an IP address and a communication protocol adopted by the service, storing the corresponding relation between the IP address and the communication protocol in the matching library so as to determine the flow of the protocol type, and skipping to step 6;
step 3, carrying out port detection of a transmission layer on the shunted flow, determining the flow of the protocol type of the port through the port detection aiming at the port of the binding protocol, and skipping to the step 6;
step 4, performing message detection of an application layer on the shunted flow, analyzing a protocol hit by a protocol message format according to an RFC document of a communication protocol, analyzing a protocol type by combining the corresponding relation of a request message and a response message, determining the flow of the protocol type, and skipping to step 6;
step 5, aiming at the traffic of which the protocol type is not determined by IP detection, port detection and message detection, realizing the characteristic matching of the traffic payload by a hyperscan regular expression, and skipping to step 7;
step 6, extracting flow characteristic information according to the determined protocol type, and sending the extracted flow characteristic information to an AC automaton to complete matching;
and 7, intercepting the abnormal traffic according to the matching result.
2. The method according to claim 1, wherein the protocol hit by the protocol message format is analyzed according to the main feature points of the communication protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011296572.0A CN112422567B (en) | 2020-11-18 | 2020-11-18 | Network intrusion detection method oriented to large flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011296572.0A CN112422567B (en) | 2020-11-18 | 2020-11-18 | Network intrusion detection method oriented to large flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112422567A CN112422567A (en) | 2021-02-26 |
| CN112422567B true CN112422567B (en) | 2022-11-15 |
Family
ID=74773986
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011296572.0A Active CN112422567B (en) | 2020-11-18 | 2020-11-18 | Network intrusion detection method oriented to large flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112422567B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113132180B (en) * | 2021-03-11 | 2022-07-29 | 武汉大学 | Cooperative type large flow detection method facing programmable network |
| CN113037784B (en) * | 2021-05-25 | 2021-09-21 | 金锐同创(北京)科技股份有限公司 | Flow guiding method and device and electronic equipment |
| CN114499949B (en) * | 2021-12-23 | 2022-09-20 | 北京环宇博亚科技有限公司 | Device binding method and device, electronic device and computer readable medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7493659B1 (en) * | 2002-03-05 | 2009-02-17 | Mcafee, Inc. | Network intrusion detection and analysis system and method |
| CN107657174A (en) * | 2016-07-26 | 2018-02-02 | 北京计算机技术及应用研究所 | A kind of Database Intrusion Detection method based on agreement fingerprint |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005099214A1 (en) * | 2004-03-30 | 2005-10-20 | Telecom Italia S.P.A. | Method and system for network intrusion detection, related network and computer program product |
| CN103795709B (en) * | 2013-12-27 | 2017-01-18 | 北京天融信软件有限公司 | Network security detection method and system |
| CN105141604B (en) * | 2015-08-19 | 2019-03-08 | 国家电网公司 | A kind of network security threats detection method and system based on trusted service stream |
| CN106453438B (en) * | 2016-12-23 | 2019-12-10 | 北京奇虎科技有限公司 | Network attack identification method and device |
| CN107968791B (en) * | 2017-12-15 | 2021-08-24 | 杭州迪普科技股份有限公司 | Attack message detection method and device |
| CN110572380A (en) * | 2019-08-30 | 2019-12-13 | 北京亚鸿世纪科技发展有限公司 | TCP reinjection plugging method and device |
-
2020
- 2020-11-18 CN CN202011296572.0A patent/CN112422567B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7493659B1 (en) * | 2002-03-05 | 2009-02-17 | Mcafee, Inc. | Network intrusion detection and analysis system and method |
| CN107657174A (en) * | 2016-07-26 | 2018-02-02 | 北京计算机技术及应用研究所 | A kind of Database Intrusion Detection method based on agreement fingerprint |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112422567A (en) | 2021-02-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112422567B (en) | Network intrusion detection method oriented to large flow | |
| CN108701187B (en) | Apparatus and method for hybrid hardware-software distributed threat analysis | |
| JP3954385B2 (en) | System, device and method for rapid packet filtering and packet processing | |
| US10084752B2 (en) | Hybrid hardware-software distributed threat analysis | |
| CN106815112B (en) | Massive data monitoring system and method based on deep packet inspection | |
| US10084713B2 (en) | Protocol type identification method and apparatus | |
| Phan et al. | OpenFlowSIA: An optimized protection scheme for software-defined networks from flooding attacks | |
| US8010685B2 (en) | Method and apparatus for content classification | |
| CN108173812B (en) | Method, device, storage medium and equipment for preventing network attack | |
| CN107222491B (en) | Intrusion detection rule creating method based on industrial control network variant attack | |
| EP2482497B1 (en) | Data forwarding method, data processing method, system and device thereof | |
| US20090113517A1 (en) | Security state aware firewall | |
| US20130294449A1 (en) | Efficient application recognition in network traffic | |
| CN106416171A (en) | Method and device for feature information analysis | |
| CN107204965B (en) | Method and system for intercepting password cracking behavior | |
| CN110933111B (en) | DDoS attack identification method and device based on DPI | |
| CN114143107B (en) | Low-speed DDoS attack detection method, system and related equipment | |
| CN106487790B (en) | Cleaning method and system for ACK FLOOD attacks | |
| EP1739921A1 (en) | Progressive wiretap | |
| CN111953527B (en) | Network attack recovery system | |
| CN111865996A (en) | Data detection method and device and electronic equipment | |
| US20220295283A1 (en) | Apparatus and method for traffic security processing in 5g mobile edge computing slicing service | |
| Mopari et al. | Detection and defense against DDoS attack with IP spoofing | |
| CN110912887A (en) | Bro-based APT monitoring system and method | |
| CN113518042B (en) | Data processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |